How should an API use http basic authentication

Posted by user1626384 on Programmers See other posts from Programmers or by user1626384
Published on 2012-09-12T10:22:32Z Indexed on 2012/09/12 15:49 UTC
Read the original article Hit count: 305

Filed under:
|
|

When an API requires that a client authenticates to it, i've seen two different scenarios used and I am wondering which case I should use for my situation.

Example 1. An API is offered by a company to allow third parties to authenticate with a token and secret using HTTP Basic.

Example 2. An API accepts a username and password via HTTP Basic to authenticate an end user. Generally they get a token back for future requests.

My Setup: I will have an JSON API that I use as my backend for a mobile and web app. It seems like good practice for both the mobile and web app to send along a token and secret so only these two apps can access the API blocking any other third party.

But the mobile and web app allow users to login and submit posts, view their data, etc. So I would want them to login via HTTP Basic as well on each request.

Do I somehow use a combination of both these methods or only send the end user credentials (username and token) on each request? If I only send the end user credentials, do I store them in a cookie on the client?

© Programmers or respective owner

Related posts about api

Related posts about rest